Exploitation of iPhone apps push notifications on iOS to obtain user information
Numerous iOS applications are currently using background processes triggered by push notifications to collect user data, thereby potentially constructing profiles that serve tracking purposes.
According to the guidelines outlined by Apple for its App Store, applications are explicitly advised against using user profiles based on collected data. This includes any attempts to identify anonymous users or reconstruct user profiles through data obtained from Apple-provided APIs.
Despite Apple's meticulous design of iOS to curtail background app activity for reasons of resource conservation and enhanced security, a significant loophole emerged with the introduction of a new system in iOS 10. This system allows apps to momentarily launch in the background for processing push notifications before they are displayed to the user.
The mechanism was intended to enrich the content of notifications, it has been exploited by numerous apps, leading to the transmission of user data back to servers upon notification triggers.
The information conveyed encompasses various aspects of device details, such as system uptime, locale, keyboard language, available memory, battery status, storage utilization, device model, and display brightness.
The gravity of this situation lies in the potential use of such data for fingerprinting and user profiling, actions explicitly prohibited within the iOS ecosystem.
Addressing the issue at its core, Apple has committed to closing this security gap by imposing stricter restrictions on the use of APIs for device signals, a move expected to prevent further abuse of push notification wake-ups.
These APIs are specifically used to extract information about a device, covering aspects such as disk space, system boot time, file timestamps, active keyboards, and user defaults. Apple's stipulation is clear that if apps fail to adequately declare their use of these APIs and the purpose behind it, they risk rejection from the App Store.
However, until these anticipated changes take effect, iPhone users concerned about potential fingerprinting can take a proactive stance by disabling push notifications entirely. It's crucial to note that merely silencing notifications may not prevent abuse of the underlying data transmission processes.
The interplay between app behaviors, data transmission processes, and user privacy within the iOS ecosystem reveals a complex landscape. As Apple takes measures to fortify its platform against potential abuses, users are encouraged to stay informed and remain vigilant in safeguarding their digital privacy.